How to disable OneTouch or OTP for specific users on RADIUS Authenticators.

Last modified on 24 Feb, 2021. Revision 12
Perhaps you want to a soft roll-out or disable two-factor authentication for certain users (Not recommended). But how do you do that? Actually its pretty simple and we only need to set a specific property to the Item that will be returned in the Authentication Pipe.
Up to date for
EasyAcess 3.0
Status OK



disable_ot (For OneTouch)

disable_otp (For OTP email/onepass/sms etc)


Note that is enough for the property to exist that value of the property does not matter.

More information here:

https://document.phenixid.net/m/90910/l/1138846-disable-otp-one-touch-for-radius-authenticators

And of course just to mention this again this is not recommended.

Disable OTP if you are memeber of specific group

This assumes that you have created your standard Username, password & token scenario. Go to your scenario and the Execution flow tab and add two valves after the LDAPSearchValve:

PropertyContainsValve

{
  "name" : "PropertyContainsValve",
  "config" : {
    "dest" : "disable_otp",
    "source" : "memberOf",
    "token" : "CN=NoOTP,OU=SecurityGroups,DC=company,DC=local"
  }
},

This will look for the token in the memberOf property and and if it exist disable_otp will be equal to “true” and if not “false”


PropertyRemoveValve

{
  "name" : "PropertyRemoveValve",
  "config" : {
    "name" : "disable_otp",
    "skip_if_expr" : "flow.getPropertyValue('disable_otp','')==('true')"
  }
}

Now we need to remove the property disable_otp if its set to false otherwise OTP will be disabled for all users.


Note that we need have the property memberOf on the current Item for this to work so that LDAPSearchValve need to look for this attribute:

LDAPSearchValve

{
        "name": "LDAPSearchValve",
        "config": { 
              "connection_ref":"b0f2ddff-9585-47c5-9286-2bee2b731197",
              "base_dn":"dc=example,dc=com",
              "scope":"SUB",
              "size_limit":"0",
              "filter":"uid=",
              "attributes":"memberOf" 
        }
}

Disable OTP if there is no OTP enrolled (onepass)

This will show how to disable OTP if there is no OnePass token enrolled.

This assumes that you have created your standard Username, password & Token scenario or Username and Token. Go to your scenario and the Execution flow tab and add three valves after the LDAPSearchValve in the following order:


First we will add a property containing what type of token we want to check for, for OneTouch it is OATH:

PropertyAddValve

{
        "name": "PropertyAddValve",
        "config": { 
              "name":"get_value_attribute",
              "value":"TOKEN",
              "splitter" : ";"
        }
}


Next we will check in database if the user has a OATH token enrolled, it will be either true or false and stored in the get_value property on the item.

GetTokenExistsValve

{
    "name": "GetTokenExistsValve",
    "config": {
        "get_value_attribute_key": "get_value",
        "username_attribute":"User-Name",
        "get_value_attribute":"get_value_attribute"
    }
}


next we will add a property but only if the user does not have a token enrolled:

PropertyAddValve

{
  "name" : "PropertyAddValve",
  "config" : {
    "name" : "disable_otp",
    "skip_if_expr" : "flow.getPropertyValue('get_value','')==('false')"
  }
}


This will disable OTP if the user haven’t enrolled a OnePass token. 


Disable Onetouch if you are member of specific group

We can also do the same as for OTP with oneTocuh by setting the disable_ot property in the flow.

This assumes that you have created your standard Username, password & OneTouch scenario or Username and OneTouch. Go to your scenario and the Execution flow tab and add two valves after the LDAPSearchValve:

PropertyContainsValve

{
  "name" : "PropertyContainsValve",
  "config" : {
    "dest" : "disable_ot",
    "source" : "memberOf",
    "token" : "CN=NoOT,OU=SecurityGroups,DC=company,DC=local"
  }
},

This will look for the token in the memberOf property and and if it exist disable_ot will be equal to “true” and if not “false”


PropertyRemoveValve

{
  "name" : "PropertyRemoveValve",
  "config" : {
    "name" : "disable_otp",
    "skip_if_expr" : "flow.getPropertyValue('disable_ot','')==('true')"
  }
}

Now we need to remove the property disable_ot if its set to false otherwise OTP will be disabled for all users.


Note that we need have the property memberOf on the current Item for this to work so that LDAPSearchValve need to look for this attribute:

LDAPSearchValve

{
        "name": "LDAPSearchValve",
        "config": { 
              "connection_ref":"b0f2ddff-9585-47c5-9286-2bee2b731197",
              "base_dn":"dc=example,dc=com",
              "scope":"SUB",
              "size_limit":"0",
              "filter":"uid=",
              "attributes":"memberOf" 
        }
}

Disable Onetouch if there is no Onetouch enrolled

We can also do the same as for OTP with oneTocuh by setting the disable_ot property in the flow.

This assumes that you have created your standard Username, password & OneTouch scenario or Username and OneTouch. Go to your scenario and the Execution flow tab and add three valves after the LDAPSearchValve in the following order:


First we will add a property containing what type of token we want to check for, for OneTouch it is PKI:

PropertyAddValve

{
        "name": "PropertyAddValve",
        "config": { 
              "name":"get_value_attribute",
              "value":"PKI",
              "splitter" : ";"
        }
}


Next we will check in database if the user has a OATH token enrolled, it will be either true or false and stored in the get_value property on the item.

GetTokenExistsValve

{
    "name": "GetTokenExistsValve",
    "config": {
        "get_value_attribute_key": "get_value",
        "username_attribute":"User-Name",
        "get_value_attribute":"get_value_attribute"
    }
}


next we will add a property but only if the user does not have a token enrolled:

PropertyAddValve

{
  "name" : "PropertyAddValve",
  "config" : {
    "name" : "disable_ot",
    "skip_if_expr" : "flow.getPropertyValue('get_value','')==('false')"
  }
}


This will disable OneTouch if the user haven’t enrolled a OneTouch token. 


Related articles

Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
User Auth with Active Directory using cOS Core RADIUS/LDAP
24 Apr, 2023 core legacy activedirectory radius userauth
Sending EasyAccess logs to InCenter or a Syslog server
4 May, 2021 easyaccess incenter syslog
cOS Core LDAP auth issues with Microsoft AD servers
11 Apr, 2023 ldap core authentication radius
How to configure passwordless OneTouch authentication
24 Feb, 2021 easyaccess radius saml sso onetouch
Upgrading EasyAccess for Windows (PhenixID Authentication Services)
28 Feb, 2024 changeme easyaccess phenixid pas
Group membership in FreeRADIUS with cOS Core
6 Apr, 2023 core radius authentication
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
Radius vs LDAP for authentication
21 Nov, 2022 radius ldap authentication core